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methods, load modules^ and/or "user data eleipfrnts. This private 
body (method) seetiozL 806 is preferably enczypted nstng one or 
more private body keys contained in the separate permissions 
record 808. The data blocks 812 contain' content (information or 
S adnmujstrative) that may be encrypted naing one or more content 

k^ys also provided in permissions record 808. 

2. Traveling Objects 

Figure 19 shows an example of a "traveling object" 
ID sLri iclLire 860 provided by the preferred embodiment. Traveling 

objects are objects that cany with. 12iem grrffirient infarmatian to 
enable at least some nse of at least aportian of their content 
when, they arrive at a VDE node. 

16 Traveling object atrnctore 860 may be the same as 

stationary object stracture 850 shown in Figure 18 except that 
the traveling object stmctore indudes a permissions record 
(PEBC) 808 within private liead^ 804. ThB inclusion of PERC 
808 within traveling' object atructore 860 permits the traveling 

20 object to be vised at any VDE electronic appliance^azticipant 600 

fin accordsgice with the methods 1000 and the contained PERC 
808), 
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Traveling" objorts ore a dass of VDE otgects 300 that can 
gp prrjfin^lly ffTiiFp^rt '^/M f*ift^Tnitirm , TheETCfore, they 

indnde key blockCa) 810 and are transportable from one 
elerfrmnir app^^"^^ tmni^f^ . Traveling oltjects may come 

5 wiiii a quite Hmited usage related budget so that a user may ufie, 

ia ^vdiole or part, content (stich as a compruter program, game, or 
database) and evaluate whether to acquire a license or further 
license or pxucliade object content. Alternatively, traveling olvlect 
PSRCa 808 may cantain or reference budget records witfa^ for 
10 example: 

(a) budgetCs) reflecting previously purchased xi^ts or 
credit for future licpHBing or purrih nsing and 
ftrtftWiTTg' at least one cr more types of olgect content 
usage, and/or 

15 

(fa) budgetCs) that employ (and may debit) available 
credit(s) stored on and managed by the local VDE 
node in order to enable abject content use, and/or 

20 (c) budget(s) reflecting oae or rnore maximum usage 

criteria before a repent to alocal VDE node (and, 
optionally^ also arepart to a clearinghouse) is 



.398* 



21-09-04 12:00 VON -SCHOPPE & ZIMMERMANN +49-89-74996977 T-647 P. 036/050 F-703 

WOWZ715S PCr/USP6/023O3 



required and ^ribidi may be followed fay a res^ 
allomDgfuzitieriiSfigey and/or modiScatiqa of one or 
more of the origmal one or mare budgetCd). 

5 , ^ with BtaudHtd VDE objects 300, a mbct may bo xequired 

to contact a cleanzigiioude sendee to acquire additional budgets if 
thfi user wishes to contmue to use the travelingf object after Hie 
esjiaustiorL of azi available budget(fl) or if the traveling' object (or 
a copy thereof) in moved to a different electronic sqppliance and 
10 the new apptianre does not hava a availalde credit badget(s) that 

corresponds to the requiremmits stipulated by permisaions record 
808. 

For example^ a traveling object PERC 808 may include a 
15 reference to a required bodget VDE 1200 or budget optionB that 

may be found and/or are e:^eeted to be available. For example, 
the budget VDE may reference a consirmfit^s VISA, MC, AMEX, 
or other "g^eric'* budget that may be object independent and 
may be applied towards tiie tme of a certain or classes of traveling 
20 object content (for example any movie object £rom a class of 

traveling objects that mi^t be Blockbuster Video rentals). The 
budget VDE itself may stipulate one or more dasaea of objects it 
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certaia one or more goxLoric budgets. Under sach caxcmzistancefl, 
YDE providers wffl typically malm it^^ 

a TTfifimier as to allow correct referencxBg' and to enable billing 
5 bandling' and r^atdtrng payments. 



Traveling objects can be naed at a receiving VDE node 
electronic appliance 600 so long as eitber the appliance carries 
the coirect budget or budget tjrpe Ce.g* sufScient credit available 

10 :frani a dearin^iouse such as a VISA budget) either in general or 

forapeciGc one or morenaers ortiser dasaeo, or bo long aa the 
traveling object itaelf carriea ivi£h it snfSdent budget allowance 
or an ^propriate authorization (e,g.» a stipulation that the 
traveling objeert ms^ be used on certain one or morie iostallatians 

15 or installation dasses or ufiers or user clashes where classes 

correspond to a specific subset nfTngf all fttfnm« or users who are 
represented by a predefined dasa identifiers stored in a secure 
database 610). After receiving a traveling object, if the us^ 
(and/or installation) doesn^ have the appropriate budget(s) 
20 and/or authorizatiouff, l^en the user could be informed by the 

electronic appEance 600 (nsing information stored in the 
traveling object) as to which one or more parties the user could 
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contact. Tile party or parties migfat constitate a list of altexxiative 
deaiiDghoTiae provideiB for tiie travelixig otgect front which. Ihe 
UAer selects his desired contact). 

5 As mentinjied above, traveling olgectB enable olgects 300 to 

be distributed "Out-Of^Cbaimel;'" that as, -Qie otgect ina:f be 
distributed by an -unauthorised or not e^licxUy antihoiized 
individual to another mdxviduaL "^Out of channel^ includes paths 
of distrSration that allow, for example, auser to directly 

10 redistribute an object to another individiiaL For example* an 

object provider mi^t aUowosers to redistribute copies of an 
object to fheir fiiends and associates (for exan^le by phyeical 
deliveiy of storage media or by delivery over a comptiter netwoik} 
suchthatif a fiiend or associate satisCes any certain critiexia 

15 required for use of said object, he may do 60« 

For example^ if a software program, was distributed as a 
traveling object, axiser of the program who wished to supply it or 
a ii^nb1f> copy of it to a £riend would ZLormall^ be fi^ee to do so. 
20 Traveling Objects have great potential commeicial significance, 

since useful content could be primarily distributed by userg and 
thrungh bulletin boards, which would lequxre Kftle or no 
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diEtributioii ovexiiead apart from registratioiL with, the "origrnaL^ 
content ^nnovxder and/or clearin^ouse. 

The ^out of chazmel'' distrfbTition may also allow ihe 
5 pravider to receive payment for usage and/or elsewise Tnmiitnin 

at least a degree of control over the redistributed object. Such 
certam criteria might involve, for ejcample, Hib registered 
pres^Qce at a user's VDE node of an antboriged tiiird party 
financial relatkmship, sodi as a credit card, along with fi irfllci ent 
10 available credit for said nsa^. 
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Thus, if tibie user had a VDE node, the user might be able to 
use the traveting object if be bad an appropriate, available 
budget availBble on bis VD£ node (and if necessaiy* allocated to 
15 himX and/or if be or bis VDE node belong^ed to a special^ 

autboxized group of usera or installations and/or if the traveling 
object carried its own budget<sX 

Since the content of the travebng object is encrypted, it can 
20 be used only under anthoxized circumstances xxnless tbe traveling 

object private header key used with the object is broken — a 
potentially easier task wifli a traveling object as compared to, for 
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cmmpley pemi2i9i^zi3 and/or budget iBfoxination smce many 
objects lEiay share liue bsxbb key, giving- a ciyptoanalyst both more 
information in cyphertext to analyze and a. greater incentive to 
perfonu Crypto analysis. 

5 

In the case of a "traveling object,*" content owners may 
distnbtite information with some or aO. of the key blocks 810 
included in the object 300 in whidbi the content is encap?^^ . 
FuLUng kejrs in distributed objects 300 increases the expaaure to 

10 attempts to defeat aecarity Tnf*rhaTtiCTnK by breaking or 

cryptoanelyzing the encryption algorithm with -which the private 
header is protected (e,g., by determining the key for the header's 
encryption). This breaking of security would normally require 
considerable skOl and tune, but if broken, iiie algorithm and key 

15 could be published so aa to allow large numbers of individuals 

possess old^cts that are pxtitectedwxtihti^ samekey(s) and 
algorithmCs) to Illegally use protected information. As a result^ 
placing keys in distributed objects 300 may be limited to content 
that is either "time sensitive'' (has reduced value after the 

20 passage of a certain period of time), or Mdiich is somewhat limited 

in value, or where the conmiercial value of placing keys in objects 
(for example convenience to end-users, lower cost of diminating 
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the telecozzuaxxziicaiiozi or other mecm^ fi>r deHverix^ iaeys and/or 
iiifonmation and/or thB obOity to &tqpportmg objects 
going "otit-of-channel'O exceeds the cost of vulnerability to 
sophisticated hackers. As mentioiLed elsewhere, the security of 
5 keys may be improved by employizig^ convohxtioii techmques to 

avoid storing "true" keys in. A traveling object, although in most 
cases using a shared secret provided to most or all VD£ nodes by 
a VDE adininisfcrator as an injmt rather than site ID and/or time 
in order to allow objects to remain independent of these values, 

10 

As shown in Figure 19 and discussed above, a traveling 
object contaix^ a permissions record 80S that preferably provides 
at least some budget (one, the other, or both, in a general case)* 
Permission records 808 can, as discussed above, coxttain a hsy 

15 block(s) 810 storing important key information. PERC 808 may 

also contain or r^er to budgets containing potentially valuable 
quantities/values. Such budgets may be stored within a traveling 
object itself, or they may be delivered separately and protected by 
highly aecure communications keys and administrative object 

20 keys and management database techniques. 
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The ixietihodB 1000 contained by a traveling object tviII 
typically include an inistallatian procedtzre for "flelf registeting^ 
tbe olrfect usiag the pfirmissian xecatdB 808 in the object (e-g., a 
REGISTER method). This may be especially nseful for objects 
6 that have time Iiimtedvalae» ol>jects (or propertiea) for which the 

end user ifi either not charged or charged only a nonunal fee 
(e.g^ olijecta for which advertisers and/or information piibliahers 
are charged based on the nmnber of end users wbo actoallj 
access jmbHshed infoxTnation), and objects that require widely 
10 available budgets anil may particnlarly benefit firom 

oat-of-channel distxibiztion (e,g., credit card derived budgets for 
objects containing properties such, as movies^ software programs, 
games, etc). Such traveling objects may be supplied with or 
without contained budget UDBs. 

15 

Que use of travding objects is the publishing of software, 
where the contained permis&ian recoordCs) may allow potential 
customerB to use the software in a demonstration taode, and 
possibly to use the full program features for a limited tixxie before 
20 having to pay a license fee, or before havLog to pay more than an 

initial trial fee. For example, using a time based billing method 
and budget records with a small pr&*installed time budget to 
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aHft w fiill i^g nf the program far a short period of time. Vanoufi 
control nxethodfl may be used to avoid misuBe of otgect coxiteiLta. 
For escample, by Betting ^h^ mi-fiiTrmTn npigrgfrnfirfcTi interval for 
the traveling object to an appropriately bunge period of time ie.g., 
5 axnonth, or aixmonths or a year), userB are prevented from 

re-usmg tba btzdget records in the aame traveling ofcgect. 

Another method for controlling the use of traveling ohjects 
is to include time^-aged ke^ in the permisaion records that are 

10 incarporated in the traveling object. This is useful geoerally for 

travding" olgecfcs to ensure t2ia.t they will not be used beyond a 
certain date witlioat re-registration, and is particularly useful for 
traveling otrjects that are electnmically distributed by broadcast, 
network, ortelecomntanications (including both one and two way 

15 cable), since the date and time of deUvezy of such traveling 

objects aging keys can be set to accurately correspond to the trme 
the user came into possession of the object. 

Traveling objects can also be used tq facilitate ''moving^ an 
20 object from one electronic applfatice 600 to another* A user could 

move a traveling object, ^veith its incorporated one or more 
pemiission records 808 &om a desktop computer, for racample^ to 
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his notebook coxnptiter« A IraveKzig' object might register xte 
wiiihiiiilself azultbez^afterozL^bai^ A 
travelings dbgect Tnigbt maintain separate badget rofbrmatioxi, one 
for the basic distribution budget record, and anothuer for tbe 
5 "actLve" dig i ri but ion budget record of the regigtered user. In this 

l2ie object could be copied and passed to another potential 
u^er, and then could be a portable olsject fbr that user. 



Traveling objects can come in a container which contains 
10 other objects* For exaniple» a traveling object container can 

include one or more content olrjects and one or more 
adininistrative objects for registering the content object(s) in an 
end user's object registty and/or for jjroviding TnecbaniFmis for 
enforcing peimiasions and^or other security fbncd^^ Contained 
15 administxative objectCs) may be used to install necessary 

pemuBsion records and/or budget informaticm m the end user's 
electronic appHance. 

Content Oltidctfl 

20 Figure 20 shows an example of a VDE content object 

structtuie 880. Generally^ content objects 880 include or provide 
information contenL This "content*^ may be any sort of electronic 
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A Capsulatcd Content Providing Services Adaptable for 

User's Requests 

3,2 Description of Ticket Method 

In a capsulated content, component data stored in eacli g^ate 
keeper is symmetrically encrypted by a key exclusive for the 
component data. Blocks of component data are denoted by Di, D2» 
... Dn, and keys for the blocks of data are denoted by Ki, Ki, Kn- 
Tben, the encrypted component data stored in the respective gate 
keepers can be expressed by as follows : 

Edn = {Dn}K- 

At this time, fxom a key K>. a value TKi*-'^ is calculated. 
"UK'' is a value corresponding to one particular service with regard 
to one particular block of component data, and this is called a use 
key. 

Tki = {Ki}uK 

UK = hash (spec(EDi, service)) 

The specCEDi, a^^vice) is expressed as "name of a 
content/author/content data ID/service ID". 

The encrypted component data EDi is enclosed in the 
capsule, and the data EDi and the ticket key for a particular 
service TKi^ are recorded in an ACL and controlled by a ticket 
server. In the MediaShell, the ticket server functions as a 
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reliable third party. 

Next, decryption of the encrypted component data is 
described. As mentioned above, at an arbitrary time, a user 
requests for a service with regard to a component data, and the 
user gets a ticket corresponding to the service. Thereafter, 
decryption and output of the component data are performed. This 
procedure can be expressed as follows- 

(1) UK = hash (spec(EDi, service)) 

(2) Ki = {TKiUK}"^ 

(3) Di = {EDi}Ki 

In this method, thus, different ticket keys are generated for 
different services with regard to each component data, and the 
ticket, in which th© ticket key is recorded, is delivered. If a 
decryption key is recorded in the ticket, it would be easy for other 
users to get the component data illegally by taking out the 
decryption key. In this method, however, since the decryption key 
is not recorded in the ticket, the component data is secured from 
such iDegalities. The security will be discussed in the paragraph 
5-1. 

5,1 Security 

Users' and authors' advantages which are obtained from the 
use of tickets and IC cards have been described above. Now, 
security from illegal usage of digital contents is discussed. 

In distribution of capsulated digital contents, by use of 
tickets, there are possibly various kinds of illegalities. However, 
these illegalities can be generally classified as follows; 

/ 

/ 

2 
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1. analysis of encrypted component, data by a tiser or a third 

party 

2. steal of a ticket by a third party 

3. illegal use of a ticket for other services by a user 

4. illegal delivery of a ticket from a user to a third party 
Digital contents are secured from illegalities of the first 

kind by encrypting the component data by use of Blowfish which is 
of a key length of 128 bits- The encryption of this level is very 
safe, and according to the estimation shown in the document [7] (B. 
Schneier, Applied Cryptography 2nf Ed., Wiley, 1996), if an 
attacker hardware which can decrypt DES for average 2 minutes is 
used, it would take lO'*-' years to decrypt the encrypted component 
data. 

With regard to illegalities of the second kind, as already 
described ift the chapter 3. the tickets are encrypted by use of an 
open key for users. Therefore, even if a third party steals a ticket, 
the third party cannot use the ticket unless be/she has a private 
key for a user. 

With regard to illegalities of the third kind, since the ticket 
keys are not decryption keys, it would be difficult for an ordinary 
user to use a ticket key for other services. However, a sufficiently 
skillful user may be able tc trace the operation of gate keepers 
and/or may imitate the method described in the chapter 3. By 
adopting an obfuscation technique which confuses data flows, it 
would be more difficult to trace the data flows. Also, illegal 
decryption of decryption keys will be able to be prevented by 
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heightening the level of generation of the use keys. 

At last, with regard to illegalities of the fourth kind, since 
the ticket delivered to each user is encrypted by use of an open key, 
when the user delivers the ticket to a third party, the user must do 
either one of the following things- (1) attaching the user's private 
key; and (2) decrypting the ticket and again encrypting the ticket 
by use of the third party's open key. The illegality (1) is 
technically easy to commit. However, revealing the user'i* own 
private key, which is an identification on a network, is unrealistic. 
The illegality (2) requires a certain extent of skill. However, the 
illegality (2) is psychologically easy to commit. At present, it is 
impossible to prevent these illegalities. However, by storing 
private keys in an IC card and by setting rights to access the 
private keys properly, it will be more difficult to commit these 
illegalities. Also, since a ticket is effective to only one block of 
component data, even if a ticket is delivered illegally, the damage 
will be only one photograph or so, and the economical damage will 
be minimum. This is also an advantage of a MediaShell 
capsulated content. 
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